Trellix ESM Reviews

The Dashboard Views are the most valuable feature since it visualizes network and security-related use cases we develop. This visualization clearly articulates the current and past state of network traffic and correlation rule hits.

I also value the ability to integrate with third-party threat feeds, including McAfee’s feed, in order to sift through the data to find any anomalies. Through this process, we have further hardened the network security and perimeter security of our clients.

The best way to describe the improvement is within the following areas:

1. Network Operations. Without visibility of network related issues, we have discovered many routing issues and network noise that could have otherwise been left to consume capacity on our clients networks. We have complete visibility of what has changed and who made changes to network related infrastructure.
2. Security Operations. We have almost real-time visibility, and with the manner in which we configure alarms, including the processes that we have implemented, we can easily initiate the security incident handling procedures. The threat feeds add a load of value in terms of investigations and through that procedure, we can quite easily remedy web filtering, endpoints, and perimeter firewalls.

A specific note on Botnets and Beaconing -- using watchlist for malicious IP addresses, it doesn’t take us long to block communication and clean endpoints.

The API the product provides still needs to develop some maturity. There is not a lot of documentation available on it. My recommendation for improvement is that the API is developed in such a way to make it more useable for different implementations. I would also recommend looking at advanced views to quickly make visible lateral movements, data staging, and data exfiltration.

I've been using it for three years as a managed security services provider.

We have had no issues with the deployment.

There have been no issues with the stability.

We once processed so many logs that we almost ran out of hard drive space. However, all our clients implementations are running smoothly and their health status remain green. My view is that the technology is mature in terms of its design and the manner in which it processes logs. It is easy to configure and easy to use.

Very good. We are a Global Intel Security Partner and we seldom have any support issues. The technical engineers from Intel Security are very helpful. There is so much technical documentation available in the community pages that when I started out, it really didn’t take me long to configure my first few dashboards.

I have used other products before. Having been an endpoint engineer before, there was this feeling of familiarity when I started out using Enterprise Security Manager. The flow for me was the same as with ePO.

I remember the first client I on-boarded and it was pretty straightforward adding data sources. In less than a minute, I could see the events populating on the screen. We developed a custom taxonomy of attacks and related the signature IDs to our own custom taxonomy. We were logging incidents to our helpdesk within the first month to remediate.

The lessons learned from other implementations is that you need to have a plan before you just add data sources. There must be an intent and purpose with each data source that you want to add to ESM. Otherwise, you are just collecting events for the purpose of collection.

We implemented it ourselves. The technology is really easy to install, but you need to be cognizant of the events-per-second and be really critical around the type of events that you forward to the ESM appliance, ensure they are useful. From the second implementation, we followed advise by SANS, and now use a “use case” (events of interest) driven approach.

You will definitely get a return on your investment if you develop the correct security management metrics and have decent operational procedures in place to take action on events in ESM. MSSP clients normally get bang for their buck.

There is an API available on ESM, which you can use to automate certain tasks to a point. Use the API to pump data into your data warehouse, which you can then start utilizing for data analysis purposes. You can develop your own baselines for user and asset behavior, and start looking at threat-hunting exercises. For the configuration of variables and custom rules, you need to know what you are doing because otherwise you can end up generating more events and useless events.

Trellix ESM is very user-friendly.

Trellix's resource consumption is too high, and it could be lower. It would be nice if Trellix could reduce the requirements for RAM and storage.

Product-wise, adding accounts on a single data source by batch would be a really great help. Then for the support, it would be a lot better if customer support from Trellix would reach out to us as partners.

I have been testing Trellix ESM for a few months.

Trellix ESM is easy to implement. In addition, it would be better if I had enough hardware resources to run or implement it.

I am working with the free trial version of Trellix ESM. I am very satisfied with Trellix ESM. There are minor additional features that we need to add to it, but for now, I'm very satisfied with it.

I would advise users to learn NQL so that they can understand how the data goes from raw data to normalized data and how to create their custom rules.

Overall, I rate Trellix ESM an eight out of ten.

This is the first SIEM product that I have used. My impressions so far are that I like the vendor support from McAfee and the overall architecture looks simple.

I helped a client of ours implement and deploy it.

The product documentation is good, but could be better. Also a bug-free version would be nice as the version I worked on had a bug in the alarm system.

I've used it for five months.

We had bug alarm issues during deployment. The bug, I think, was part of the product.

We had no issues with the stability.

We have had no issues scaling it for our needs.

Customer service is very good.

Technical support is very good.

The initial setup was straightforward.

You will have a better implementation if you get support from the vendor.

Overall, it was expensive, as it has split components.

We have now started using ArcSigh as well. I don't have much experienced with it, but the overall architecture looks similar to McAfee.

It's SIEM. Obviously, normalization of data is the biggest factor.

We perform security event monitoring for over 700 individual servers, firewalls, and applications. It's not possible to monitor over 500 million events per day with SIEM.

McAfee is working on a newer ELS product for a faster search which will change everything about how a SIEM can perform.

I have been using this product for the past eight years.

Just like any other software/hardware platform, once in awhile we have issues with software bugs, but McAfee's support is good in helping to fix these issues in a timely manner.

Biggest benefit of McAfee SIEM is its easy scalability. It doesn't restrict you to a particular hardware or storage solution.

Mcafee's SIEM support team is very good.

I used ArcSight at a different job, but when we bought SIEM at my current job, it was NitroView. Later, McAfee acquired them.

It had a few hurdles initially, but in its current versions and offerings McAfee SIEM is sort of plug and play. It has so many offerings out-of-the-box.

McAfee's pricing is competitive in the industry and their licensing model is for hardware only.

We checked ArcSight, but their pricing was expensive.

McAfee ESM is the perfect SIEM tool, and it provides best results based on data intake and rule based configuration.

I would suggest users identify the data sources they want to interject into SIEM for monitoring, correlation, and work with the sales team to understand the total EPS and choose the right set of hardware, especially the ESM which will perform majority of work for your organization. With the right specs for hardware, it will help you achieve your goal.

The easy interface is the most valuable feature.

Through correlation rules, it finds malware that compromised the computer that anti-virus and other security solutions do not find.

I had a couple of problems collecting Windows events. The local plugin should be easier to use, because when ESM is collecting through the manager, many performance issues occur.

I have been using McAfee for over three years.

We did have stability issues, but they were resolved by McAfee support.

We have not had scalability issues.

I would give technical support a rating of 8/10.

I used different solutions, but for different clients.

This was the easiest initial setup that I have made.

The product is worth the price. There are other cheaper tools in the market, but it is harder to work with them.

We looked at HPE ArcSight, Splunk, RSA Analytics, and IBM QRadar.

Stay focused, read the documentation, plan it well, and the project will be a success.

Dashboards, which can be customized to display alerts and queries, and rules, which trigger alerts, are the most valuable features for us.

We now have a better view of our security posture from an external and internal point of view. We are able to do forensic investigations and stop attacks before they occur.

The reporting could use some improvement. Also, while the dashboard can be customized to an extent, I'd like to have the ability to do even more customization.

We've used it for two years.

We've had no deployment issues.

There have been no issues with the stability.

Scaling it has been fine. We've had no issues with an inability to scale.

In our experience, technical support has been good.

• QRadar
• RSA enVision

Deployment of any of these products is easy. What becomes a daunting task is the creation of use cases and also ensuring that alerts are accurate.

We used an in-house team with a vendor in-office assistant.

Executives don’t see ROI on this solution as the reports are not meant for C-levels.

Make sure you know exactly why you are implementing it and what you are going to monitor. Also, ensure that you have all your use cases way before venturing into buying a solution of this nature.

We are using the solution for log analyzing endpoints and investigating all types of applications, files or network devices login collection.

McAfee as a whole is a good solution.

When it came to using the solution for a larger organization, we were faced with some troubles attempting to manage the GUI functionality. During some forensic investigations, some of the information was missing from the collected data. 

It cannot integrate with our Next-Generation Firewall and few applications such as Cisco ACI. For Postgre databases, the solution did not collect a lot of information from it. It has some integration problem. Companies, therefore, have to invest twice for collecting logs rather than one SIEM.

I have been using the solution for two years.

The initial setup was a bit complex.

The local partner we had was not very experienced in implementing the solution. However, the solution was first implemented in our country.

It has performed well and delivered the results that I have been looking for.

It does a good job for us.

• Ease of use.
• Quick training period.

I can't scale it.

I would like to see AI play a major role going forward.

It is a stable product.

I have to purchase a new box now. Its existing box is not scalable and I can't use it anymore.

It has good technical support, which is available around the clock. You can call up anytime and get whatever you want. My queues are resolved.

I was not involved in the initial setup, but it was straightforward.

We are currently evaluating ArcSight and LogRhythm.

At the time we previously purchased McAfee, I had fewer requirements and it catered to my needs.

Most important criteria when selecting a vendor: support.